I was checking out my server logs (gripping reading, could not put it down) when I saw these two entries:
208.78.98.108 - - [09/Jul/2007:20:28:07 -0400] "GET /wp-pass.php?_wp_http_referer=http://topnlpsites.com/images/gif/echo.txt? HTTP/1.1" 403 860 "-" "libwww-perl/5.803" 81.169.188.151 - - [09/Jul/2007:20:54:39 -0400] "GET /wp-pass.php?_wp_http_referer=http://doublezer0.free.fr/echo.txt? HTTP/1.1" 403 1032 "-" "libwww-perl/5.69"
File wp-pass.php? Where’d that come from?
See the BUGTRAQ explanation here. By passing arguments to wp-pass.php, the wp-pass.php file will send the requesting browser to the URL that wp_http_refferer points to. By using a simple script the WordPress installation is easily verified as susceptible.
The bad buy sends out a SPAM or bogus link that points to a WordPress installation and that WordPress blog redirects the request to where ever the attacker wants. This is not earth shattering but really annoying.
Luckily Apache’s .htaccess is our friend. In my blog root at the end of my .htaccess file I added the following two lines:
RewriteCond %{REQUEST_URI} ".*wp-pass.php" RewriteRule .* - [F]
I do not have any password protected posts so I don’t use that file (which is all I gather it is for…) and after implementing this my blog continues to work fine. Any requests that match that rewrite conditions gets a return value of 403: Forbiden.
This is to be fixed in WordPress 2.2.2 says the posting. The BUGTRAQ posting also mentions wp-includes/pluggable.php, wp-includes/functions.php maybe vulnerable due to the use of problematic code.
AskApache says:
Nice tip Jan, that is really useful code for a lot of .htaccess uses..
November 4, 2007 — 4:15 pm